In the post-Snowden world, privacy is a highly marketable commodity. Big tech companies, perhaps hoping to distance themselves from involvement in National Security Agency, have ramped up their efforts to encrypt user data and new apps, services, and hardware all invoking terms like privacy, anonymous, and, of course, "NSA proof" are a dime a dozen.
But not all of those efforts are equal, security experts say. In some cases, consumers are learning that products marked as anonymous or private fail to live up to their promises.
"A lot of opportunists will jump at the chance to provide users with this type of service," says Runa Sandvik, former developer for the open source anonymous browsing tool Tor and current technologist with the Freedom of the Press Foundation. "Unfortunately they are going the wrong way about it and using a lot of marketing buzzwords, but don't really have users' privacy or anonymity as the top goal."
Whisper, which calls itself an anonymous messaging app, has faced intense media scrutiny recently after the Guardian alleged that the app tracked users' locations — including those of some users who had opted out of that feature. Capitol Hill has weighed in, with Senate Commerce Committee Chairman Sen. Jay Rockefeller (D-W.Va.) calling on Whisper CEO Michael Heyward to answer questions about the service's privacy record.
Although Heyward has disputed some of the Guardian's reporting, Whisper Editor-in-Chief Neetzan Zimmerman, a former Gawker writer known for his ability to create viral content, and other members of the editorial staff have reportedly been placed on leave as the company investigates.
"Whisper does use the word anonymous on its official support page — but it never actually defined what that meant," said Sandvik.
That is not unique to Whisper. Rather, it applies to a whole host of other products that use the language of privacy to market themselves, but may not have the technical chops to meet customer's actual expectations, she said.
"They all use words like anonymous, secret, or privacy friendly, but they all define these terms in totally different ways and its not obvious how each company defines these terms for their products," Sandvik explained. One such buzzword is "NSA-proof" —a term Sandvik says was invented by the media after the Snowden leaks.
Another case involved Anonabox, a tiny Internet router that claimed that it was custom-built to securely route online traffic through the Tor network, that exploded on crowd-funding platform Kickstarter earlier this month — raking in more than $600,000 in pledges. It was suspended after questions were raised about the source of the hardware and its security features.
But even as that project floundered, Sandvik says its popularly indicates that there is an underserved market of consumers who want easy-to-use privacy technology. Many of the tools trusted by experts like Tor and PGP e-mail encryption come with a high learning curve, and remain less convenient than less secure services even when mastered.
"Some of these tools are hard to get started with — they are difficult or cumbersome to use," she said. "Ask anyone who frequently sends encrypted e-mail, and a lot of them will say they will end up being slower to respond to encrypted messages just because it takes more time to go through the process."
For more casual consumers, glossy apps promising secure communications can be alluring, and it can be difficult to tell the trusted tools from the snake oil. But the Surveillance Self-Defense guide recently relaunched by the Electronic Frontier Foundation is a good place to start to understand the basics of digital security.
Peddlers of products using dubious privacy and security claims may also want to watch out: The Federal Trade Commission doesn't take kindly to deceptive marketing tactics. The agency settled charges this year alleging picture and chat app Snapchat misled customers by saying messages sent through the service actually disappeared.